[00:25.500 --> 00:27.340]  Remember the message.
[00:27.940 --> 00:29.920]  The future is not set.
[00:55.700 --> 00:59.280]  I flew in yesterday after getting up at 4 o'clock in the morning.
[01:01.420 --> 01:07.420]  But anyway, so this is going to be my talk on firewalls and fire alarms.
[01:08.440 --> 01:10.080]  Here's the agenda.
[01:10.080 --> 01:14.060]  I'm going to talk a little bit about me, very briefly.
[01:14.260 --> 01:16.600]  And then I'm going to tell you a story.
[01:16.600 --> 01:18.500]  Actually, I'm going to tell you two.
[01:18.560 --> 01:26.320]  And then I'm going to show you some comparisons to illustrate some points that I think are really important to understand.
[01:26.320 --> 01:32.620]  And we'll talk about some case studies that we get out of those particular stories.
[01:32.780 --> 01:34.760]  And some lessons learned.
[01:35.300 --> 01:38.600]  And ultimately, we're going to talk about preparing for failure.
[01:38.620 --> 01:42.620]  Anybody here ever had a control in place and it failed?
[01:43.440 --> 01:44.540]  Never, right?
[01:44.540 --> 01:46.040]  That never happens.
[01:46.040 --> 01:49.980]  And if you're one of those few people that are like, oh yeah, no, everything I put in place works.
[01:49.980 --> 01:53.860]  Well, either you're wrong or you just haven't figured that out yet.
[01:55.200 --> 01:56.920]  So this is me.
[01:57.400 --> 01:59.080]  I really like sloths.
[01:59.080 --> 02:01.140]  That's the most important thing on this slide.
[02:01.160 --> 02:03.160]  This is my buddy Flash.
[02:04.080 --> 02:06.200]  He's with the Buffalo Zoo.
[02:06.480 --> 02:08.180]  I work at the University of Buffalo.
[02:08.180 --> 02:10.540]  I've been there over 25 years.
[02:10.640 --> 02:19.580]  I'm also, what is not on this slide, I've been a volunteer firefighter almost 30 years, which is where some of these ideas come from, putting these two things together.
[02:19.720 --> 02:23.840]  In this space, in terms of technology, I volunteer with a whole bunch of things.
[02:23.840 --> 02:28.340]  I speak all over the place, and as I mentioned, I love sloths.
[02:28.880 --> 02:30.680]  Who's ready for story time?
[02:31.080 --> 02:32.460]  Ready for stories?
[02:32.460 --> 02:33.320]  All right.
[02:34.200 --> 02:38.020]  Who's heard of the Iroquois Theater or the fire it had?
[02:38.920 --> 02:41.900]  Yeah, probably just a couple of Chicagoans.
[02:42.120 --> 02:43.320]  Yeah, okay.
[02:43.340 --> 02:48.560]  So don't add too much if you know a whole lot about this particular story.
[02:50.020 --> 02:52.220]  Yes, it was a fire.
[02:52.220 --> 02:53.180]  We'll get there.
[02:53.860 --> 02:58.720]  So the Iroquois Theater was built, and it opened in 1903.
[02:59.260 --> 03:05.080]  Now, you have to understand the story behind the building of the Iroquois Theater.
[03:05.200 --> 03:13.680]  There had been a Brooklyn Theater, which had burned to the ground in the late 1870s in New York, and it was a disaster.
[03:13.800 --> 03:15.080]  A lot of people died.
[03:15.080 --> 03:21.100]  I think it was like 275 people died because there weren't a lot of things in place to save people.
[03:21.100 --> 03:22.960]  Construction was a problem.
[03:23.080 --> 03:25.100]  There were just numerous issues.
[03:25.360 --> 03:37.480]  When they went to put this theater together, the person who designed it said, nope, we need to design a theater that will avoid all of those catastrophes.
[03:37.480 --> 03:44.880]  So if you look carefully, you can see this says absolutely fireproof.
[03:45.720 --> 03:48.360]  What do we know about absolutes?
[03:48.360 --> 03:50.640]  Only Sith believe in absolutes.
[03:51.640 --> 03:54.500]  Yeah, absolutes are crap.
[03:54.500 --> 04:04.600]  But what's really important here is that it was designed well.
[04:04.600 --> 04:09.820]  There were a lot of really good controls that it was designed to have.
[04:10.240 --> 04:14.240]  So it was built, the exterior was all concrete, right?
[04:14.240 --> 04:17.520]  And concrete's pretty good at preventing fire spread.
[04:17.820 --> 04:30.660]  There was meant to be an asbestos curtain that had a brass metal frame, a heavy brass frame, because most theater fires, when they occurred, they would occur on or behind the stage.
[04:30.660 --> 04:39.340]  So if you could bring a curtain down and separate the audience from the backstage area, you could save a lot of lives.
[04:39.340 --> 04:41.740]  So this was really a pretty good idea.
[04:42.260 --> 04:44.540]  They had what were called ventilators.
[04:44.620 --> 04:46.900]  Ventilators were really skylights.
[04:46.900 --> 04:58.920]  They were giant skylights that had a mechanism that you could open, so that if there were smoke and hot gases and you had this problem, you could open them and that would get sucked up and outside and it would be a whole lot safer.
[04:59.860 --> 05:04.120]  They also hired what they called a house fireman.
[05:04.120 --> 05:14.940]  A house fireman was a man at this time who was a fireman who was hired to literally be in the theater during every production and be watching for problems.
[05:14.940 --> 05:16.060]  So that seems good, right?
[05:16.060 --> 05:18.040]  You have a human who's there who's watching.
[05:18.040 --> 05:20.760]  It's not just relying on some of these other things.
[05:20.880 --> 05:24.920]  There were more than 30 large emergency exits.
[05:24.980 --> 05:27.840]  The Brooklyn Theater did not have a lot of exits.
[05:27.840 --> 05:29.700]  That was one of the major problems.
[05:29.860 --> 05:31.900]  So they said, yeah, we're going to go overboard.
[05:31.900 --> 05:33.000]  There's going to be a ton of exits.
[05:33.000 --> 05:34.020]  It's going to be great.
[05:34.420 --> 05:36.560]  They had multiple fire escapes.
[05:37.340 --> 05:41.680]  All theaters in Chicago at the time were required to have sprinklers.
[05:41.920 --> 05:46.280]  Not only was this theater going to have sprinklers, it was going to have what's called a standpipe.
[05:46.360 --> 05:59.020]  And a standpipe, if you've ever been in any construction, even recent in a large structure, there are these big pipes, and firefighters bring in hose and connect to them.
[05:59.100 --> 06:01.500]  And there's one of a couple different ways it can work.
[06:01.500 --> 06:10.840]  You either hook it up, and there's actual, when you open the valve, water flows, or it allows you to flow water into it.
[06:10.840 --> 06:13.340]  So there's a couple different ways this can work.
[06:13.340 --> 06:21.100]  But it adds to, so you have the sprinklers from above, and you have these standpipes that firemen could hook into to give them extra water.
[06:22.260 --> 06:24.180]  And building inspections, right?
[06:24.180 --> 06:29.300]  That was a thing that was happening in Chicago, and in theory, it passed building inspection.
[06:29.820 --> 06:33.780]  This is the theater in 1903.
[06:34.240 --> 06:38.680]  We'll come back to this picture, but you can see it was not a small place.
[06:39.840 --> 06:42.920]  In fact, this was the inside.
[06:42.920 --> 06:45.200]  This was a very opulent theater.
[06:45.200 --> 06:59.400]  And one of the big differences beyond the safety features of the theater between the Brooklyn and this was the fact that it had a humongous stage, which you can't really see here, but the stage and the backstage area were actually larger.
[06:59.540 --> 07:03.180]  This was a 1,600-seat theater.
[07:04.140 --> 07:04.820]  Okay?
[07:05.960 --> 07:15.020]  However, the day of the fire, there were more than 2,000 people in that space, and we'll talk about why that is in a minute.
[07:16.080 --> 07:25.560]  So the problem is, there were a lot of assumptions about this building, and this is the result of those assumptions.
[07:26.180 --> 07:29.340]  There was a very cold day.
[07:29.640 --> 07:31.900]  It was December 30th.
[07:32.100 --> 07:35.200]  December 30th in Chicago is when?
[07:35.200 --> 07:37.520]  What happens around that time of year?
[07:38.380 --> 07:42.580]  Well, it's close to New Year's, but what else is going on in general?
[07:43.480 --> 07:46.520]  Winter, and the kids are...
[07:46.520 --> 07:48.320]  they're on vacation, right?
[07:48.320 --> 07:53.000]  They're off, they're on a break, and this was a matinee performance.
[07:53.500 --> 07:58.840]  The bulk of the people in this audience were women and children who had come to see Mr.
[07:58.860 --> 07:59.980]  Bluebeard.
[08:00.000 --> 08:01.780]  Now, what I will tell you about Mr.
[08:01.780 --> 08:12.800]  Bluebeard is that it was actually a very strange choice for children that the original play was about this fellow Mr.
[08:12.800 --> 08:15.440]  Bluebeard who had killed multiple wives.
[08:15.440 --> 08:17.800]  I think he had seven or eight of them.
[08:17.880 --> 08:25.520]  And the eighth or ninth wife figures this out when she discovers the dead bodies of the rest of the wives.
[08:25.540 --> 08:27.720]  Totally a children's play.
[08:27.720 --> 08:34.740]  But they change it up, they make it child-friendly, if you will, by having the wives come back to life at the end.
[08:35.590 --> 08:38.220]  I'm telling you, this was a huge performance.
[08:38.220 --> 08:40.400]  People absolutely enjoyed it.
[08:40.400 --> 08:42.640]  The theater was massively packed.
[08:42.960 --> 08:46.080]  The reason why there were 2,000 people in that theater?
[08:46.080 --> 08:51.540]  There were 350 people who were there just working.
[08:51.760 --> 08:57.800]  So between the actors and the stagehands and the makeup people and, and, and, and.
[08:57.840 --> 09:10.380]  So you have 1,600 capacity seats, you have 350 people working, and then you have the fact that they kept selling standing-room-only tickets.
[09:10.400 --> 09:12.940]  Because standing-room-only was allowed at the time.
[09:12.940 --> 09:17.280]  You very quickly get to over 2,000 people.
[09:17.880 --> 09:25.620]  When all was said and done, 602 people were dead, again, most of them women and children, and 250 were injured.
[09:25.620 --> 09:30.680]  It is and remains the worst fire in a single building in history.
[09:30.680 --> 09:33.660]  It was absolutely devastating.
[09:34.760 --> 09:44.720]  Okay, now that we've talked about that happy story, who here knows anything about the Irish healthcare system and ransomware?
[09:44.720 --> 09:46.360]  Anybody here about that?
[09:46.720 --> 09:48.300]  Okay, at least one.
[09:49.420 --> 09:52.260]  So I'm guessing most of you don't.
[09:52.260 --> 09:53.460]  That's cool.
[09:53.460 --> 09:55.940]  So this is a different kind of disaster.
[09:56.760 --> 09:59.760]  So this is the Irish healthcare system.
[09:59.760 --> 10:05.460]  4,000 locations with 54 acute hospitals.
[10:05.460 --> 10:08.060]  This is a big hospital system.
[10:08.060 --> 10:10.360]  130,000 staff.
[10:10.360 --> 10:21.200]  They had over 70,000 devices, different varied support levels of IT throughout those, and 350 IT staff.
[10:21.200 --> 10:29.400]  So, you know, they had a lot of people doing a lot of stuff, and it was classified as critical infrastructure.
[10:29.680 --> 10:33.800]  What do we assume is the case with critical infrastructure?
[10:33.800 --> 10:36.540]  What kind of protections do we think are probably there?
[10:37.820 --> 10:39.220]  Yeah, the good kind.
[10:39.220 --> 10:40.620]  Not helpful.
[10:40.640 --> 10:46.280]  Specifically, what kinds of things do we think, you know, should be there, right, in critical infrastructure?
[10:47.800 --> 10:51.340]  Backups, multi-factor, firewall, EDR, right?
[10:51.340 --> 10:55.260]  So what they did have, they had a security operations team.
[10:55.260 --> 10:56.300]  This is good.
[10:57.200 --> 11:07.120]  They had some kind of cybersecurity solutions providers because this is such a weird distributed environment that they may have had more than one.
[11:07.120 --> 11:10.260]  It was sort of hard to tell reading the document.
[11:10.660 --> 11:14.420]  There was a very, very detailed write-up that I'm taking all of this from.
[11:14.780 --> 11:19.060]  They had an incident provider on retainer, so that's good.
[11:19.060 --> 11:23.620]  They had AV installed, and they did, in fact, have firewalls.
[11:23.820 --> 11:27.020]  So, I mean, you know, not terrible.
[11:29.220 --> 11:33.900]  Unfortunately, they suffered a massive ransomware attack.
[11:35.020 --> 11:42.260]  So this is what they put out on Twitter when it happened, and they were like, yep, we shut everything down.
[11:42.460 --> 11:45.500]  Now I'll give you a little timeline of what happened here.
[11:46.300 --> 11:56.480]  On May 14th at 1 a.m., the attacker executed Conti ransomware on six of the hospitals.
[11:57.620 --> 12:00.100]  But the attacker had been there a while.
[12:00.100 --> 12:02.240]  This wasn't their first rodeo.
[12:02.260 --> 12:10.080]  At 2.50 a.m., there were notifications to the service desk about a bunch of systems that were suddenly encrypted.
[12:10.580 --> 12:12.600]  That's a bad sign.
[12:13.460 --> 12:23.080]  At 4.36 in the morning, they discovered not only were they hitting these systems, presumably workstations, now they were in the data center.
[12:23.480 --> 12:25.420]  This is not good, right?
[12:25.420 --> 12:27.240]  We all know when that happens.
[12:27.240 --> 12:37.200]  And then, of course, at 7.28, finally they make this announcement, but at 5.10 is when they actually make the decision to shut the systems down.
[12:38.240 --> 12:41.320]  So this is not wonderful, right?
[12:41.320 --> 12:45.620]  We have a company that is in trouble.
[12:47.140 --> 12:49.140]  So what happened as a result?
[12:49.140 --> 12:55.520]  Well, they had to move to paper and pencil, and they were used to having access to all those records.
[12:56.840 --> 13:01.780]  Remember, this hit how many of those hospitals?
[13:03.100 --> 13:04.380]  Six.
[13:04.660 --> 13:08.320]  How many had cancellation of services as a result of this?
[13:08.420 --> 13:09.700]  31.
[13:09.700 --> 13:14.420]  So just because the ransomware didn't hit the hospital doesn't mean it wasn't impacted.
[13:14.560 --> 13:22.020]  So they had to cancel a bunch of things, diagnostic services and radiotherapy and elective surgery and, and, and, and.
[13:23.440 --> 13:27.840]  In addition, they didn't have access to patient information systems.
[13:28.220 --> 13:33.620]  Because they were doing all of this manually, it was really hard to identify people.
[13:33.620 --> 13:36.560]  Like, how do you really know this is the right person?
[13:36.560 --> 13:47.680]  I mean, how many of us have seen shows on TV or had personal experiences or know people where you're supposed to have surgery on one leg and maybe they were going to do surgery on the wrong leg?
[13:47.680 --> 13:50.380]  Like, this shit happens in real life.
[13:50.580 --> 13:52.200]  And that's problematic.
[13:52.280 --> 13:58.560]  Well, they were dealing with way more of this than usual because they didn't, they had no way to even see those records.
[13:58.700 --> 14:04.860]  They had trouble managing waiting lists for, for their, you know, their waiting areas and the ER.
[14:04.860 --> 14:10.940]  They couldn't report results easily and, you know, prescribing medications.
[14:11.220 --> 14:14.240]  Good luck, because you don't know what people were on.
[14:14.240 --> 14:18.680]  You have to rely on them telling you or bringing you a bottle and showing you.
[14:18.680 --> 14:20.860]  I mean, this was a mess.
[14:21.300 --> 14:29.860]  Now, what I will say is that this hospital had been very good at dealing with issues like COVID.
[14:30.040 --> 14:34.840]  They had gotten pretty good at being able to react and take care of things.
[14:34.840 --> 14:45.780]  When they did go to the paper-based system, at least they weren't completely struggling because they were like, okay, you know, we, we've dealt with worse things in, with humans, right?
[14:45.780 --> 14:47.400]  So we, we got this.
[14:47.440 --> 14:51.340]  But obviously, this was still a pretty big problem.
[14:52.840 --> 14:57.700]  All right, so I want to, I want to bring up a couple of terms and let's talk about them.
[14:58.200 --> 15:03.080]  So when you see the word fireproof, what do you think of?
[15:05.020 --> 15:06.320]  Won't burn.
[15:06.320 --> 15:07.840]  Anything else?
[15:09.680 --> 15:10.700]  What?
[15:11.660 --> 15:13.240]  Can't hear you.
[15:17.340 --> 15:19.700]  Yeah, no, not alcohol.
[15:21.240 --> 15:23.600]  I understand the temptation.
[15:24.420 --> 15:28.240]  So won't burn is, is really the most common thing.
[15:28.400 --> 15:30.960]  So here's a cool thing that I'll tell you.
[15:30.960 --> 15:34.160]  What if I told you solid objects don't burn?
[15:35.040 --> 15:37.040]  What do you think about that statement?
[15:38.020 --> 15:39.720]  Throw it in the sun.
[15:40.400 --> 15:43.880]  So what I will tell you is that's actually a true statement.
[15:44.460 --> 15:46.400]  Solid objects do not burn.
[15:46.400 --> 15:50.600]  The way solid objects burn is indirectly.
[15:50.780 --> 15:54.820]  You heat a solid object to a point where it gives off a vapor.
[15:55.520 --> 15:59.600]  And once that vapor is hot enough, it will ignite.
[16:00.600 --> 16:06.180]  What is burning is the vapor, not the object.
[16:06.620 --> 16:09.980]  So solid objects do not burn.
[16:09.980 --> 16:21.500]  However, when thinking about this term fireproof and this idea that things cannot catch fire or cannot be on fire, this is a misnomer.
[16:21.780 --> 16:24.800]  How many of you have heard of fireproof safes?
[16:24.920 --> 16:26.880]  At least a few of you.
[16:26.880 --> 16:30.720]  Do you think that those safes will never burn?
[16:32.220 --> 16:34.060]  They're time-rated, right?
[16:34.060 --> 16:35.380]  That's the key.
[16:35.380 --> 16:38.040]  So we'll come back to that idea.
[16:39.600 --> 16:41.320]  What about this word?
[16:41.900 --> 16:42.680]  Secure.
[16:42.680 --> 16:44.080]  What does this mean?
[16:46.350 --> 16:49.110]  Will or can't be hacked, right?
[16:49.110 --> 16:50.010]  What else?
[16:50.010 --> 16:50.550]  What?
[16:50.590 --> 16:53.110]  It's an emotion, yes.
[16:53.110 --> 16:54.410]  What else?
[16:58.190 --> 16:59.330]  What else?
[17:00.030 --> 17:01.510]  Can't be hacked, right?
[17:01.510 --> 17:03.650]  So it's what?
[17:04.510 --> 17:05.350]  Protected, right?
[17:05.350 --> 17:12.210]  It's this idea, just like this idea of fireproof, it's kind of like the ultimate level of security, right?
[17:12.210 --> 17:13.350]  It's secure.
[17:13.350 --> 17:15.290]  It's the place we want to go.
[17:15.350 --> 17:20.230]  And when we build buildings, there's this idea that we want them as fireproof as possible.
[17:21.950 --> 17:35.550]  The problem is, and the themes we have seen with both of these stories that I told you, both about the HSE and about the theater, we often think of controls as preventions.
[17:35.970 --> 17:38.090]  But here's the reality.
[17:38.530 --> 17:40.710]  Controls are safeguards.
[17:41.030 --> 17:45.170]  They're meant to delay disaster, not fully prevent it.
[17:45.170 --> 17:51.690]  If you get lucky, you might prevent it, but most of the time, it's just going to delay things.
[17:51.730 --> 18:04.170]  And ideally, if you can delay it long enough, that's a good thing, because it allows you to get in and do what you need to do before things get bad, in both security and in the fire service.
[18:04.810 --> 18:11.470]  So we need to remember that our controls will fail, and that is the assumption that I want to drive home to you.
[18:11.530 --> 18:22.510]  And in fact, even in my own fire department, I've asked them, I'd like you to run a drill, because we have a lot of new tools, right?
[18:22.510 --> 18:24.110]  And this is true in security.
[18:24.110 --> 18:25.270]  We get new gadgets.
[18:25.270 --> 18:26.530]  We get new blinky boxes.
[18:26.530 --> 18:28.170]  We get all kinds of cool stuff.
[18:28.310 --> 18:31.210]  And we get really good at relying on that.
[18:31.210 --> 18:32.450]  Who has EDR?
[18:32.450 --> 18:34.270]  Anybody have EDR in place?
[18:34.390 --> 18:36.810]  We get really good at relying on EDR.
[18:36.810 --> 18:39.150]  We get really good at relying on these tools.
[18:39.750 --> 18:42.110]  What happens when the tools stop working?
[18:42.110 --> 18:46.350]  Do you have anything that even alerts and tells you it's not working?
[18:46.350 --> 18:49.070]  How do you know if it's even working?
[18:49.950 --> 19:06.830]  So I've asked in my fire department, for example, let's do a drill where instead of using the jaws of life, right, to do extrication from vehicles, why don't we say, okay, we're going to do extrication, and you can't use the jaws.
[19:06.830 --> 19:08.230]  What are you going to do now?
[19:08.450 --> 19:09.930]  Well, there are lots of things we can do.
[19:09.930 --> 19:12.750]  We did it long before the jaws of life existed.
[19:12.850 --> 19:15.910]  We used tools like air chisels, right?
[19:15.910 --> 19:18.350]  I mean, we used all kinds of other things.
[19:18.350 --> 19:20.150]  We didn't use the jaws.
[19:20.150 --> 19:26.710]  Now, that doesn't say we don't want those as our first line of defense if we can, but we need backups.
[19:27.390 --> 19:32.670]  And controls really require review, much like what I was saying about EDR.
[19:32.730 --> 19:40.110]  If you don't know the answer to how do I know my tool is working the way it's supposed to, you have a problem.
[19:40.810 --> 19:43.270]  You should be able to answer that question.
[19:43.690 --> 19:49.930]  That is what offensive security, by and large, is designed to teach you, but there are ways you can do it on your own.
[19:51.610 --> 20:00.530]  So these are the three types of basic controls we're going to talk about, and then I'm going to talk about one additional idea, but this is our foundation.
[20:00.530 --> 20:04.230]  So we're going to talk about prevention, detection, and containment.
[20:05.090 --> 20:14.350]  So using the case studies from the fire and from HSE and their ransomware, we're going to look at each of these.
[20:16.210 --> 20:19.050]  So here's my little boy scout, right?
[20:19.050 --> 20:23.690]  We want to always be prepared, so we want to prevent the bad things.
[20:23.690 --> 20:28.530]  So in general, these are the kinds of things that usually we put in place, right?
[20:28.530 --> 20:34.410]  So the fire service, building codes, inspection, education, InfoSec, firewalls, access controls.
[20:34.410 --> 20:38.430]  Again, this isn't everything, but these are, you know, just some things we usually think of.
[20:40.470 --> 20:44.190]  So here are some failures in terms of prevention in the fire service.
[20:45.470 --> 20:53.270]  So that building that was built in 1903, yeah, there were a whole bunch of mistakes made along the way.
[20:53.630 --> 20:56.250]  The biggest was that they were in a hurry.
[20:56.310 --> 21:04.130]  They were in a hurry because the theater season kicks off in October, and they wanted that theater open by October.
[21:04.410 --> 21:05.890]  And they got it.
[21:05.970 --> 21:07.350]  It kept getting delayed.
[21:07.350 --> 21:18.390]  There were all kinds of problems with strikes, strikes, things that didn't even make sense because it was like bricklayers in New York City, and what does that have to do with Chicago?
[21:18.390 --> 21:19.510]  But it didn't matter.
[21:19.510 --> 21:22.210]  The point is, they had one delay after another.
[21:22.210 --> 21:24.490]  So they kept pushing and pushing and pushing.
[21:25.030 --> 21:26.530]  Remember that curtain?
[21:27.090 --> 21:34.830]  Well, that curtain had some asbestos in it, but most of it was wood pulp, and it never did have that magical frame.
[21:34.990 --> 21:40.110]  So it caught fire like everything else.
[21:41.360 --> 21:48.970]  If you look carefully, you will see this was the light that arced, that caused the spark.
[21:49.190 --> 21:53.950]  That spark caught some gauze-like curtains.
[21:54.010 --> 22:00.650]  Those gauze-like curtains decided to hang out with some scenery that was there, right?
[22:00.890 --> 22:04.070]  And what do you think that scenery was painted with?
[22:05.250 --> 22:06.210]  What?
[22:06.730 --> 22:07.490]  Oil.
[22:07.490 --> 22:08.870]  Yes, oil-based paints.
[22:08.870 --> 22:12.850]  And when they brought that scenery in, remember the fireman I told you about?
[22:12.850 --> 22:14.450]  He was like, get that crap out of here.
[22:14.450 --> 22:15.430]  We don't want that here.
[22:15.430 --> 22:17.770]  And they were like, but this is the show.
[22:17.930 --> 22:21.210]  And he eventually relented, right?
[22:21.910 --> 22:29.650]  So the flammable scenery gets allowed in, and then, remember I told you, all of this was done in a humongous hurry.
[22:30.450 --> 22:35.370]  So the inspectors were told, hey, bring your kids to the show.
[22:35.370 --> 22:39.710]  We'll give you free tickets if you just look the other way.
[22:39.950 --> 22:47.850]  The man, the fireman who was there, actually did point out a whole bunch of problems, and we'll get to that later.
[22:48.550 --> 22:53.410]  So in HSE, they had a lot of legacy systems.
[22:53.410 --> 22:56.350]  End of life, this is a problem.
[22:56.530 --> 23:04.910]  They had no patch maintenance, because that's always a good idea, which doesn't mean nothing was patched, but there wasn't any kind of consistency.
[23:05.290 --> 23:12.110]  And in some places, yes, they were running antivirus in monitor mode, because that's helpful.
[23:13.990 --> 23:23.890]  So if we analyze these failures, and you're going to see a repeat of this concept, so we're going to look at the cause, how we can resolve it, and some key takeaways.
[23:24.190 --> 23:28.130]  So there was a false sense of security here, right, in both cases.
[23:28.170 --> 23:35.270]  We thought the healthcare system was in good shape, because they were considered at the level they were.
[23:35.270 --> 23:38.610]  We thought that theater had all those protections in place.
[23:39.390 --> 23:45.590]  Nobody had verified the expected controls in either case, which is why everything fell apart.
[23:46.010 --> 23:49.730]  They also assumed those controls would act the way they were supposed to.
[23:49.730 --> 23:57.290]  They had the curtain, the ventilators were there, but they didn't work the way they were supposed to, and nobody was testing anything.
[23:58.310 --> 23:59.990]  So how do you resolve that?
[23:59.990 --> 24:15.850]  Well, obviously, you know, if they claim there's a control in place, if you think you have something that does a thing, not only should you verify that it, you know, first you want to verify it works, then you want to make sure, is it even really there?
[24:15.850 --> 24:24.630]  Like, maybe there's something that works the way you expect the tool to work, but there's something else doing that.
[24:24.630 --> 24:26.910]  And I've seen this kind of thing with firewalls, right?
[24:26.910 --> 24:40.410]  Oh, it's being blocked because of the firewall, and it comes to find out, no, actually, it wasn't the firewall, it was some other tool, so you think the firewall is doing what it's doing because you see something's blocked, but in reality, it was some other tool blocking it,
[24:40.410 --> 24:42.670]  and your logs don't differentiate.
[24:42.790 --> 24:43.390]  Yay.
[24:44.070 --> 24:46.110]  So you want to audit your controls.
[24:46.110 --> 24:48.010]  This is your key takeaway.
[24:48.330 --> 24:51.530]  Relying on inspect and controls is not good.
[24:51.530 --> 24:56.030]  You need to verify and maintain them and test them all the time.
[24:56.310 --> 24:57.350]  And I know that's a lot.
[24:57.350 --> 24:58.150]  You have a question?
[25:00.030 --> 25:07.110]  It does cost money, but there are some ways to, you know, automate things, and you can take little pieces.
[25:07.110 --> 25:10.270]  I mean, you don't have to do it all at once, right?
[25:10.930 --> 25:11.690]  Right.
[25:11.690 --> 25:12.550]  No, I get it.
[25:12.550 --> 25:13.150]  It is.
[25:13.150 --> 25:14.530]  It can be expensive.
[25:14.530 --> 25:17.810]  All right, so let's move to detection.
[25:18.130 --> 25:24.910]  So in terms of the fire service, the thing we most know about, right, smoke and heat detectors and fire alarms.
[25:25.390 --> 25:44.010]  And while this is not actually in the presentation itself and didn't play a role necessarily at the theater, just as an FYI, because I've been a firefighter for a long time, you should know whether your smoke alarms, what kind they are.
[25:44.010 --> 25:47.770]  Because they don't all detect the same things.
[25:47.930 --> 25:49.530]  Some of them detect heat.
[25:49.590 --> 25:51.850]  Some of them detect ionized particles.
[25:52.130 --> 25:54.170]  And some of them do both.
[25:54.230 --> 26:01.530]  And the problem is, you think you have a smoke detector that will do the thing you want it to do until the fire happens.
[26:01.530 --> 26:04.250]  And then you're like, why didn't my smoke detector go off?
[26:04.250 --> 26:05.650]  I put batteries in it.
[26:05.650 --> 26:06.710]  I pressed the button.
[26:06.710 --> 26:07.890]  It worked right.
[26:07.890 --> 26:10.150]  So just a little PSA.
[26:10.290 --> 26:12.730]  Check your smoke detectors.
[26:12.730 --> 26:14.430]  Know what you have in the house.
[26:14.430 --> 26:18.590]  I always recommend dual to make sure you have that full protection.
[26:18.690 --> 26:20.690]  Anyway, back to the show.
[26:21.450 --> 26:33.130]  So in terms of InfoSec, some sort of intrusion detection and regular monitoring, honey pots, honey tokens, these are standard detection things.
[26:33.950 --> 26:37.990]  So in the fire service in this particular case, there was no fire alarm system.
[26:37.990 --> 26:46.010]  And not only was there no fire alarm system in this theater, at the time, has anybody seen the pull boxes that are in old cities?
[26:46.150 --> 26:48.530]  There was no pull box.
[26:48.730 --> 26:50.170]  At all.
[26:50.270 --> 27:05.090]  So the only reason that folks knew there was a fire, and I'll go back to this toward the very end of my talk, that first picture that I showed you of the theater, it was already on fire.
[27:05.370 --> 27:09.130]  In the upper left-hand corner, there was actually smoke showing.
[27:09.130 --> 27:17.850]  So it wasn't until the firemen yelled and had somebody run down multiple blocks to actually do something about it that they found out about it.
[27:18.130 --> 27:23.970]  And those sprinklers, yeah, they never actually installed them, and this fan pipe was never connected to anything.
[27:23.970 --> 27:25.230]  That's a problem.
[27:26.170 --> 27:32.370]  In InfoSec, this is a problem I see all the time that drives me nuts.
[27:32.470 --> 27:38.790]  We see our tool has remediated things, and we go, oh, it must be good.
[27:38.790 --> 27:45.170]  For example, my EDR detected Mimi Cats, and it stopped it.
[27:45.790 --> 27:46.790]  Excellent.
[27:46.790 --> 27:48.530]  That is what it should do.
[27:48.570 --> 27:49.890]  Fantastic.
[27:49.950 --> 27:55.060]  What does an attacker do when your tool finds a way to stop that sort of thing?
[27:56.090 --> 27:59.750]  Try it again, and try it a different way.
[27:59.750 --> 28:04.090]  There are a bazillion ways to run Mimi Cats, not just one.
[28:04.170 --> 28:11.230]  So if your tools detect something like that, you should be looking for a secondary way in.
[28:11.230 --> 28:13.310]  Look for attackers somewhere else.
[28:14.010 --> 28:17.170]  There wasn't any kind of continuous monitoring.
[28:17.210 --> 28:18.310]  Yes, they had AV.
[28:18.310 --> 28:25.450]  Yes, they had folks who supposedly were watching things, but they had no formal monitoring thing in place.
[28:25.450 --> 28:35.890]  They had, you know, no humans that were actually looking at those logs, and they assumed that the AV was working the way it was supposed to, you know, blocking things, not in monitor mode.
[28:36.990 --> 28:40.130]  So let's analyze these failures.
[28:40.690 --> 28:44.090]  Again, a false sense of security in both cases.
[28:44.470 --> 28:51.130]  The tools were not working as expected, and we didn't verify those controls.
[28:51.690 --> 28:57.150]  And in the case of the AV, right, it was misconfigured because no one ever actually put it in block mode.
[28:58.290 --> 29:01.050]  So how do we resolve that?
[29:01.050 --> 29:10.590]  Well, like I said before, verify those controls actually work, and do regular testing, and verify those tools work the way you expect them to.
[29:11.870 --> 29:15.530]  So again, detection systems, you got to verify them.
[29:15.530 --> 29:18.930]  I know this sounds redundant, but that's part of the point, right?
[29:18.930 --> 29:23.130]  I'm saying the same thing over and over because we don't do it.
[29:24.610 --> 29:26.170]  What about containment?
[29:26.170 --> 29:27.950]  This is one of my favorites.
[29:28.470 --> 29:32.090]  So in the fire service, we have fire extinguishers, sprinklers.
[29:32.090 --> 29:37.290]  We have what are often called fireproof walls, but they're really fire-resistant walls.
[29:37.390 --> 29:42.030]  Like we heard with those safes, they are time-rated.
[29:42.070 --> 29:46.850]  They are meant to allow people to escape or get out before they fail.
[29:47.130 --> 30:00.430]  And in InfoSec, in theory, we have incident response, and HSE did have IR on retainer, and when they did figure out they had a problem, they did call them in, and it was Mandiant, and they started working this case.
[30:01.190 --> 30:07.750]  If you don't have a way to isolate systems, that's not ideal because that's another thing you want to be able to do.
[30:07.750 --> 30:15.230]  So you should ask yourself, if you know a system is doing something bad, do you have a way to isolate that in any case?
[30:16.250 --> 30:19.750]  So in terms of the fire service, this is fabulous.
[30:19.850 --> 30:21.890]  So look at this little stick thing.
[30:22.430 --> 30:24.050]  This is cool.
[30:24.290 --> 30:26.770]  This is what they gave the firemen.
[30:27.530 --> 30:30.110]  This is a fire extinguisher.
[30:30.270 --> 30:31.870]  And you're like, what?
[30:32.710 --> 30:41.650]  So this is called a kill fire, and it is really meant you throw some powder on a small fire and it puts it out.
[30:41.650 --> 30:46.610]  It is not meant for the fire to be up on top in a curtain.
[30:47.190 --> 30:49.530]  So, you know, this poor guy is, like, throwing...
[30:49.530 --> 30:51.970]  he had, like, six of them, and he's, like, throwing the powder.
[30:51.970 --> 30:53.790]  It's doing nothing, right?
[30:53.790 --> 30:55.810]  Wrong tool for the job.
[30:56.750 --> 31:00.370]  He wasn't given any other tools, just those.
[31:00.610 --> 31:12.630]  Those ventilators that were such a good idea to allow those heat and gases to escape, yeah, they never actually finished them, so they just nailed them shut, because otherwise cold air would get in, and I did mention it was winter, right?
[31:12.750 --> 31:13.770]  Yeah.
[31:13.770 --> 31:18.170]  I mentioned the standpipe never connected, and there wasn't a sprinkler system.
[31:18.170 --> 31:20.670]  So there was no way to contain that fire.
[31:20.670 --> 31:37.450]  So in terms of InfoSec, well, they had a flat network, a completely flat network, which is not cool, and so they had no visibility at all beyond certain specific systems.
[31:37.690 --> 31:43.170]  Again, I mentioned the monitor mode, but they also had a problem with communication.
[31:43.210 --> 31:52.690]  They had no governing structure, no CISO, no, you know, nobody in charge of security.
[31:52.850 --> 31:59.890]  So there were all these, like, disparate little IT community bits where none of them were talking to each other.
[31:59.910 --> 32:16.250]  So what I didn't cover is that there were, in fact, hospitals that detected some badness and prevented this from being even worse in their environments, but it was only their environments, because who were they going to call?
[32:16.250 --> 32:18.990]  Because there was no central place to call.
[32:19.650 --> 32:31.190]  At one point, their security operations folks called when they saw active, active activity from an attacker in a system.
[32:31.850 --> 32:37.470]  They called the sysadmins and they said, I want you to reboot the server immediately.
[32:38.170 --> 32:40.230]  Boy, that was effective.
[32:41.170 --> 32:43.210]  Yeah, like, what?
[32:43.210 --> 32:46.890]  So clearly these folks hadn't gotten the training they needed.
[32:47.350 --> 32:57.930]  It was discovered later on that they found at least 16 systems with issues that were never, ever addressed.
[32:59.090 --> 33:05.870]  And again, you know, you assume AV, EDR is going to save you in all cases, you're making a huge mistake.
[33:06.650 --> 33:10.710]  So we'll look at the analysis of the containment space.
[33:11.650 --> 33:15.850]  Obviously human error here played a huge role in all of the things.
[33:16.870 --> 33:26.330]  That fireman tried to tell people, Houston, you have a problem, because he walks through the theater and he's like, he clearly can see there's a problem.
[33:26.830 --> 33:36.070]  But here's the thing, he'd been working for a different theater at one point or some other facility, and he'd been fired because he was too aggressive.
[33:36.070 --> 33:37.630]  That's what they called it.
[33:37.630 --> 33:42.090]  He was too aggressive in talking about what the problems were that he discovered.
[33:42.710 --> 33:47.650]  So he tried to tell people, but he was like, I don't want to go too far because I don't want to get fired.
[33:48.350 --> 33:51.070]  Instead, you know, all these people die.
[33:51.070 --> 33:51.530]  Yay!
[33:53.310 --> 33:54.590]  Inadequate design, right?
[33:54.590 --> 34:01.290]  So in the HSC case, we certainly have a situation where a flat network is going to be a disaster.
[34:01.410 --> 34:07.230]  In the case of the theater, you know, it's well designed, but not as well implemented.
[34:07.410 --> 34:11.430]  But we're going to see there were some design flaws, too.
[34:11.950 --> 34:14.130]  Again, lack of verification.
[34:14.530 --> 34:17.190]  There were inconsistencies in tool configurations.
[34:17.190 --> 34:19.670]  Some places had AV set in monitor mode.
[34:19.670 --> 34:20.810]  Some didn't.
[34:21.190 --> 34:22.910]  And again, the wrong tools are provided.
[34:22.910 --> 34:24.910]  So how do we solve that?
[34:25.390 --> 34:29.450]  Well, again, we verify those controls actually are there.
[34:29.450 --> 34:32.170]  Don't just assume because someone tells you they're there.
[34:32.170 --> 34:33.290]  Go look.
[34:33.610 --> 34:40.390]  If you're supposed to have some sort of EDR on every system, go and look.
[34:40.390 --> 34:42.510]  Is EDR on every system?
[34:43.210 --> 34:45.670]  You're going to need eyes on that stuff.
[34:45.690 --> 34:52.890]  And at a minimum, you can look right in the tool itself and see, am I missing any systems, right?
[34:52.890 --> 34:56.250]  And that might require multiple people looking at this.
[34:56.770 --> 34:59.330]  You want to make sure you have the right tools.
[34:59.330 --> 35:11.210]  Because if you don't have the right tools, and they don't have to be fancy, this is why I brought up the whole fire service and, you know, this business about let's try a drill without the fancy tools.
[35:11.430 --> 35:15.450]  You might need a not-fancy tool to do the right kinds of things.
[35:15.930 --> 35:19.630]  So make sure that you have the right tools, whatever they are.
[35:20.410 --> 35:24.410]  So containment is all about having those tools and education.
[35:24.410 --> 35:33.130]  Your folks need to know, if they see something like Mimikatz in their environment, you don't just go, yay, it was detected and caught and we're done.
[35:33.130 --> 35:36.570]  And you need some sort of solid communication plan.
[35:36.570 --> 35:39.210]  Otherwise, you will never contain the badness.
[35:39.210 --> 35:40.270]  Not really.
[35:41.630 --> 35:53.050]  Okay, so this isn't a formal control, but I think it's worth discussing, is that in both cases, there were delays and failures when responding.
[35:53.290 --> 35:58.610]  So the controls have now all failed in these cases, but you still need to respond.
[35:58.610 --> 36:00.290]  You still need to do something.
[36:01.470 --> 36:03.770]  So this is funky.
[36:03.970 --> 36:05.430]  These are doors.
[36:06.010 --> 36:09.010]  These were some of the doors in that theater.
[36:09.590 --> 36:12.710]  Look at this weird-ass locking mechanism.
[36:13.550 --> 36:18.390]  Now imagine you're in a smoky environment and you've never seen that before.
[36:19.130 --> 36:24.090]  Good luck getting the hell out of here, because you're never going to figure this out.
[36:24.150 --> 36:28.410]  And there were a bunch of double doors like this with these weird configurations.
[36:29.170 --> 36:34.250]  There were draperies covering the exits, and no exit signs, because exit signs are ugly.
[36:34.250 --> 36:36.130]  So we don't want any of that.
[36:36.130 --> 36:38.570]  This is this brand-new fancy theater.
[36:39.650 --> 36:42.670]  There were, in fact, locked doors.
[36:43.190 --> 36:45.830]  And who's seen Titanic, the movie?
[36:46.170 --> 36:48.290]  Yeah, good number of you.
[36:48.490 --> 36:56.370]  What keeps people getting out from steerage up to getting on those lifeboats?
[36:56.370 --> 36:57.570]  Gates.
[36:58.230 --> 37:00.450]  Well, guess what this theater had?
[37:00.770 --> 37:08.270]  They had gates, because they didn't want the people in the upper levels, in the cheap seats, coming down and sitting in the orchestra.
[37:08.410 --> 37:17.070]  So as soon as the performance would start, they'd pull those gates across to keep those folks where they should be with the ticket they purchased.
[37:17.730 --> 37:19.050]  Not good.
[37:19.770 --> 37:24.390]  It was also, as I mentioned, December, and it was cold.
[37:24.930 --> 37:27.030]  So weather played a factor.
[37:27.550 --> 37:32.590]  Nobody was trained on what to do in an emergency, much less a fire.
[37:32.610 --> 37:39.030]  So you have all these people who are ushers and actually working with the public, bringing them in and seating them.
[37:39.030 --> 37:43.510]  Not one of them had been prepared for what to do in an emergency.
[37:43.870 --> 37:45.530]  That was very evident.
[37:46.650 --> 37:49.430]  So in InfoSec, we see this all the time, right?
[37:49.430 --> 37:51.730]  There's no incident response plan.
[37:51.870 --> 37:54.370]  Have something, even if it's rudimentary.
[37:54.370 --> 37:56.210]  Just think about it.
[37:56.210 --> 37:57.870]  I mean, it doesn't have to...
[37:57.870 --> 38:04.650]  Yes, ultimately, you will want a formal incident response plan, but that can take time to develop.
[38:04.730 --> 38:08.030]  So just come up with something, even if it's a basic game plan.
[38:08.030 --> 38:11.970]  If you know that something bad happens, who do you go to?
[38:11.970 --> 38:13.690]  How do you deal with it, right?
[38:13.690 --> 38:15.590]  Something really basic.
[38:16.150 --> 38:21.710]  As I mentioned, with the HSC, there was no formal security oversight at all.
[38:22.210 --> 38:23.750]  No CISO, nothing.
[38:23.750 --> 38:33.470]  Clearly, there were inconsistent levels of knowledge because some of those hospitals had people that recognized there was a problem and actually knew what to do about it and prevented the badness.
[38:33.470 --> 38:36.450]  And then you had the ones who were like, yes, there's an attacker there.
[38:36.450 --> 38:37.730]  Just reboot your server.
[38:37.730 --> 38:38.670]  You'll be good.
[38:39.470 --> 38:43.390]  There was no out-of-band communication mechanism at all.
[38:43.670 --> 38:47.790]  So when they're all down, now how are they supposed to communicate?
[38:48.510 --> 38:52.050]  Think about this long before you have an incident, not in the middle of it.
[38:52.050 --> 38:56.470]  And there was no SOC, so there was nobody to call and nobody to escalate it to.
[38:57.090 --> 39:05.290]  So in terms of analyzing that, again, missing significant resources in both cases.
[39:05.950 --> 39:12.090]  Communication played a role in both the fire and what happened in HSC, right?
[39:12.490 --> 39:18.530]  How do you communicate, hey, there's a fire, without, like, standing up and screaming, hey, there's a fire.
[39:18.530 --> 39:22.990]  And there was no communication to anywhere else.
[39:23.550 --> 39:24.630]  So this is fun.
[39:24.630 --> 39:32.370]  Not only was there no firebox, there was no telephone in that theater, no telegraph, nothing.
[39:32.870 --> 39:42.490]  So literally the only reason anybody knew there was a problem was the person who ran up the street to the firehouse, which was horses, was horse-drawn carriages back then.
[39:42.550 --> 39:44.890]  So, not good.
[39:45.150 --> 39:47.890]  And of course, architecture flaws, right?
[39:47.890 --> 39:48.230]  Staircases.
[39:48.230 --> 39:53.350]  We have a situation where a flat network means it's going to blow through a lot of it.
[39:53.350 --> 40:00.890]  And in the case of this theater, there were also some interesting architectural flaws in terms of where staircases were.
[40:00.990 --> 40:06.310]  And so there were points of egress that were very tiny and a lot of people wound up in front of them.
[40:07.250 --> 40:11.310]  So have some sort of clear plan, even if it's not fancy.
[40:12.130 --> 40:16.330]  Please educate your folks on the basics of IR.
[40:16.330 --> 40:24.750]  They do not need to be DFIR specialists, but they do need to know who to call and they need to know when they should call somebody.
[40:24.810 --> 40:27.930]  Not just, hey, we got an alert and it's resolved.
[40:27.930 --> 40:32.510]  They need to understand, hey, we got an alert and it's resolved, but maybe this is more serious.
[40:33.610 --> 40:39.890]  And I know that for some folks it's like, but what about our SOC 1 people?
[40:40.290 --> 40:41.490]  Our level 1?
[40:41.490 --> 40:44.850]  Yes, they should know when they see this stuff.
[40:44.850 --> 40:48.970]  They should, you know, hair on the back of their head stand up or something.
[40:48.970 --> 40:50.750]  They should recognize this.
[40:50.750 --> 40:53.990]  And a lot of folks do not get the training they need.
[40:55.630 --> 40:57.290]  Documentation, I'll just leave it there.
[40:57.290 --> 40:59.070]  Everybody understands that.
[40:59.070 --> 41:03.610]  And you need a way to impart critical information quickly.
[41:04.370 --> 41:12.470]  If you want to have effective incident response, you've got to plan, you've got to drill, and you need to have access to stuff.
[41:13.510 --> 41:17.330]  So let's talk about some lessons learned from both of these.
[41:18.430 --> 41:20.950]  I think this is particularly interesting.
[41:21.750 --> 41:27.090]  These were things that the fire service learned from this fire.
[41:28.710 --> 41:36.190]  Anyone heard of UL, these stickers you see on all the electronic crap that we buy except some of the stuff that was made in China?
[41:37.770 --> 41:44.290]  UL was developed by a man who was inspired from seeing this horrible fire.
[41:44.550 --> 41:46.870]  That is why UL exists.
[41:47.130 --> 41:49.830]  You know the crash bars we have here and here?
[41:50.170 --> 41:53.910]  This fire is the reason those crash bars exist.
[41:54.310 --> 42:03.130]  Doors were locked in theaters because they thought they didn't want outside people coming in emergency exits when they didn't have a ticket.
[42:03.150 --> 42:04.990]  So they would lock the door.
[42:04.990 --> 42:08.670]  Well now, you can do that, but people can still get out.
[42:08.830 --> 42:10.770]  But that's because of that fire.
[42:11.350 --> 42:13.830]  By the way, this is the inside of the theater.
[42:13.830 --> 42:15.290]  This is on the stage.
[42:16.130 --> 42:24.830]  I purposely did not put any pictures of the 602 bodies, but there were quite a number of photographs, even from that time period.
[42:25.830 --> 42:33.210]  Exits have to be clearly marked as they are in this auditorium, and not only do they have to be marked, they have to be on a separate electrical system.
[42:33.210 --> 42:37.670]  So if this building were to lose power, they should not.
[42:38.010 --> 42:41.070]  They actually have to be on a completely separate thing.
[42:41.650 --> 42:43.730]  And that was something they learned from this.
[42:44.130 --> 42:46.730]  And you have to have doors that are easy to get out.
[42:46.730 --> 42:48.750]  Those doors were crazy.
[42:48.750 --> 42:51.530]  And the fact that they had the gates, not cool.
[42:52.750 --> 42:55.070]  So what did HSE learn?
[42:56.130 --> 42:58.970]  Oh wait, a little more here, I almost forgot.
[42:59.810 --> 43:10.410]  So they also learned that they needed to use some sort of fireproofing type solution on things like backdrops, not just use oil-based paint, because that's bad.
[43:11.250 --> 43:12.930]  There should be a fire alarm.
[43:12.930 --> 43:15.510]  It should actually be connected to the local fire station.
[43:15.510 --> 43:17.690]  That is not always the case everywhere.
[43:17.690 --> 43:18.990]  Some are independent.
[43:18.990 --> 43:22.410]  But this is something they learned from this particular thing.
[43:23.070 --> 43:28.410]  There are ventilation standards now to prevent the mess that happened here.
[43:28.410 --> 43:31.210]  And maximum seating capacities were changed.
[43:31.210 --> 43:34.530]  There's no more standing room only in most theaters as a result.
[43:35.310 --> 43:36.230]  All right.
[43:36.390 --> 43:37.910]  So what did HSE learn?
[43:37.910 --> 43:41.310]  Well, they added a 24 by 7 monitoring service.
[43:41.310 --> 43:42.790]  That was a good thing.
[43:42.830 --> 43:51.290]  They added a temporary CISO and CTTO so that there would be somebody to actually coordinate effort.
[43:51.910 --> 43:56.470]  They actually segmented their legacy systems, which was smart.
[43:56.470 --> 43:59.530]  And they added some control platforms.
[43:59.710 --> 44:03.130]  They had their folks go through some security awareness training.
[44:03.810 --> 44:11.130]  They did things like restrict access to those authorized to use things.
[44:11.130 --> 44:12.210]  Shocking!
[44:12.770 --> 44:18.630]  They put in processes for communicating in some kind of incident this way.
[44:18.630 --> 44:22.530]  And they added incident response playbooks to go with that.
[44:22.930 --> 44:25.910]  Now, I'm telling you, this didn't happen quickly.
[44:25.910 --> 44:28.410]  And they also added a bunch of technology.
[44:28.410 --> 44:37.950]  So they now have a SIM and UEBA and SOAR and automation and vuln scanning and all the things that they probably should have had.
[44:38.010 --> 44:42.690]  Given they were considered critical infrastructure, you would have thought these things were there.
[44:42.830 --> 44:46.530]  But you would have thought a theater would protect its patrons too.
[44:48.550 --> 44:53.670]  So in the end, we need to prepare for failure.
[44:53.670 --> 44:56.890]  We need to assume our controls will fail.
[44:57.310 --> 45:00.330]  We should always be thinking, I put this control in place, it's awesome.
[45:00.330 --> 45:01.630]  Now what happens when it fails?
[45:01.630 --> 45:02.630]  What's the next thing?
[45:02.630 --> 45:03.810]  What am I going to do?
[45:04.610 --> 45:07.410]  In the fire service, we do routine fire drills.
[45:07.410 --> 45:10.490]  We make sure that kids know how to get out and stay out.
[45:10.610 --> 45:12.790]  Who remembers stop, drop, and roll?
[45:13.670 --> 45:14.450]  Right?
[45:14.610 --> 45:16.030]  When is that useful?
[45:17.530 --> 45:19.130]  No, when is it useful?
[45:19.650 --> 45:21.410]  When you're on fire.
[45:21.410 --> 45:26.110]  How often are your little kids on fire such that stop, drop, and roll is a good idea?
[45:27.130 --> 45:35.690]  The fire service figured this out and they've started teaching things like get out, stay out and having exit drills and having plans, right?
[45:35.850 --> 45:37.930]  Because, what a disaster, right?
[45:37.930 --> 45:40.230]  Kids, you hope they aren't on fire.
[45:40.230 --> 45:43.770]  That's really not, you know, that would be the worst case scenario.
[45:44.270 --> 45:48.110]  And there should be inspections to be looking for those weaknesses.
[45:48.110 --> 45:57.870]  Do something like a catch-me-if-you-can TTX where, you know, an attacker gains admin somewhere and they're trying to persist.
[45:57.870 --> 45:59.410]  What are you going to do, right?
[45:59.410 --> 46:00.850]  Some basics.
[46:00.850 --> 46:04.470]  Can you, as an organization, deal with that?
[46:04.470 --> 46:06.990]  Just, you know, on the basics.
[46:07.190 --> 46:09.370]  Stephanie, you had a question or a comment?
[46:09.370 --> 46:10.090]  Okay.
[46:10.750 --> 46:16.010]  So, in terms of InfoSec, again, these TTXs are critical.
[46:16.010 --> 46:19.750]  We should have playbooks for some of the basics that we see all the time.
[46:19.750 --> 46:23.610]  We should be running drills, looking for what we would do.
[46:24.370 --> 46:27.170]  We should be doing some kind of detection testing.
[46:27.170 --> 46:30.050]  Do our detections do what we think they should do?
[46:30.150 --> 46:41.410]  I have another talk where I talk about the fact that detections are often not doing what you think they are, not because they're not working properly, but they're working at a different level than you think they are.
[46:41.410 --> 46:54.810]  So, for example, when you detect an attacker doing password attacks using LSAS, there are a bazillion ways to do that.
[46:54.810 --> 46:59.810]  So, if you have a tool that detects that, it probably detects a particular technique.
[46:59.810 --> 47:01.370]  That's fabulous.
[47:01.550 --> 47:04.950]  But what exactly does that mean?
[47:04.950 --> 47:14.510]  Well, it means that's one technique, which the way you do that technique could be any one of a hundred different ways.
[47:15.050 --> 47:19.670]  So, it really is just one tiny thing that you can detect.
[47:21.430 --> 47:23.470]  So, I'm going to wrap up here.
[47:24.330 --> 47:30.930]  And across the disciplines, I think you can see that we can learn from the fire service.
[47:31.090 --> 47:33.030]  We've got to have those layered controls, right?
[47:33.030 --> 47:34.150]  And we need to test them.
[47:34.150 --> 47:35.610]  We need to know they're there.
[47:35.610 --> 47:37.370]  We need to validate that.
[47:37.370 --> 47:40.810]  We need to make sure we have these response plans.
[47:40.810 --> 47:43.470]  We want to make sure those communications are there.
[47:43.470 --> 47:45.550]  We need to be adaptable and flexible.
[47:45.910 --> 47:50.470]  And any kind of proactive, resilient approach is going to be required.
[47:51.050 --> 47:55.250]  As the military frequently says, improvise, adapt, and overcome.
[47:55.890 --> 48:06.690]  So, my call to action to you is adopt this mindset where you assume your controls fail and to think ahead about what you're going to do as those controls fail.
[48:06.690 --> 48:16.410]  One of my biggest pet peeves is when somebody in our network team says, yep, but they can't get to it because.
[48:17.710 --> 48:18.750]  Great.
[48:18.810 --> 48:20.190]  Until they do.
[48:22.850 --> 48:29.110]  So, I always like to end with this quote because I actually got my degree in music business.
[48:29.110 --> 48:33.630]  I did not get a degree or anything in IT because there was no such thing.
[48:33.930 --> 48:44.390]  So, ultimately, I may not have gone where I intended to go, I wound up in this space instead, and I think I wound up exactly where I needed to be.
[48:44.870 --> 48:47.390]  And with that, I will also leave this with you.
[48:47.390 --> 48:55.690]  I wrote a book called The Active Defender which teaches folks how to think about defense from an offensive perspective.
[48:55.970 --> 49:02.950]  If your folks do not understand those basic concepts, they're missing half the part of the security story.
[49:02.950 --> 49:07.410]  And I'll have a bunch of flyers up here that have some more information about the book, if you're interested.
[49:07.610 --> 49:11.130]  I want to thank CypherCon for having me.
[49:11.130 --> 49:14.610]  I want to thank you all again so much for being here this late.
[49:14.790 --> 49:20.130]  I will take, if you guys have a couple of questions, I'm happy to take them now, or if you want to come up, either way.
[49:20.270 --> 49:21.130]  Thank you.
[49:27.070 --> 49:28.150]  Any questions?
[49:28.450 --> 49:29.730]  I know it's late.
[49:34.220 --> 49:39.380]  All right, I will leave it at that, and feel free to come up and see me because I think I'm the last thing of the night.
[49:46.700 --> 49:47.060]  CypherCon.
[49:47.060 --> 49:47.340]  www.cyphercon.com